privileges.5 (2010 09)
p
privileges(5) privileges(5)
WARNINGS
Product documentation, as discussed above, describes alternate ways that programs or users can obtain
sufficient privileges to perform restricted operations.
Network Issues
Privileges are not propagated across distributed systems. They are applied only on the local system. For
example, a process with
PRIV_DACREAD or PRIV_DACWRITE
cannot access a file on another system if
it is necessary to override discretionary restrictions to do so.
For example, if the system’s NFS subsystem is configured to translate the user ID zero to the user ID
UID_NOBODY, it still does so. Also, some system daemons check to see if a connection originates from a
privileged port (typically 0-1023) to determine whether to allow or deny the connection. This behavior is
not and should not be altered.
Privilege Escalation
In certain situations, a single privilege or set of privileges can lead to a process gaining additional
privileges that were not explicitly granted. This is known as privilege escalation.
For example, a user with the privilege
PRIV_DACWRITE alone may overwrite critical operating system
files and, in the process, may grant himself additional privileges beyond
PRIV_DACWRITE
.
SEE ALSO
crontab(1), sam(1M), setfilexsec(1M), setrules(1M), shutdown(1M), acct(2), audwrite(2), execve(2),
getfh(2), mknod(2), modload(2), modpath(2), modstat(2), mount(2), nice(2), setrlimit(2),
priv_add_effective(3), priv_remove(3), privileges(3), compartments(4), compartments(5), privgrp(5), glos-
sary(9).
HP-UX 11i Version 3: September 2010 − 11 − Hewlett-Packard Company 11